FIG. 1 




50 



AGENT 



60 



TEMPLATES 
65 



CORRELATION 
ENGINE 

78 



KERNEL 
AUDIT 
DATA 

70 



SYSLOG 
DATA 

72 



FIG. 2 




How do the agent 
processes fit together? 



1 



idsSSLagent 

200 




idsagent 

Controls all agent 
processes 

210, 




Alert msgs. 
from Idscor 



idscor 

Correlates data from 
DSPs and 
detects intrusions 

220 y 



idssysdsp 

Gathers data from 
system 
log files (syslog etc.) 

. mj 



Local alert file 




Detection 
templates 



isdkerndsp 

Gathers data from 
kernel 
IDDS driver 

240 y 



System call data 
from kernel 



IDDS Kernel 
Driver 

270 



FIG. 3 



Alert text is sent to 
GUI in an SSL pacl<et>^ 

385 



idsSSLagent 



200 



-370 



Sends alert 

r to GUI 

380/ 



r 

Logs to local 
alert fil 



Local alert 
file 



300 



Idsagent 

375 

Reformats alert for GUI 




350 



7 



Receives alert message 
from Idscor 



Executes 
response 
script 




365 



Templates determine 
if a potential intrusion 
has occurred. 



Detection 
templates 



idscor 



Alerts message is 
sent to idsagent 
N 355 



Parses data from DSP 
and provides it to 
currently loaded 
templates 345 



342 



ASCII audit record is 
sent to idscor for 
processing 



305^ 
User process calls 
a library function in libc 



libc makes a system call 
Into the kernel 3^0 



^325 

syscall returns to 
user application 




tdskerndsp 

Formats data from 
kernel IDDS driver 
into ASCII form 
340 



335v^Kerndsp 
reads records 



'syscall path checks^ 
if syscall is audited. 

Gathers data. 

315 



Data is put 
on circular 
buffer 



320 



^330 

driver 

reads record 

from buffer 
^ 



IDDS Kernel 
Driver 

270 




o 



